WWDC2003 Session 618

Transcript

Kind: captions
Language: en
please welcome Rob never
the podium thank you everybody my name
is Rob Nevel and I manage the
engineering team that does managed
desktop for 10 the sign outside says
this is managing for a networking
environment if you're here just just to
hear something about managing in a
networking environment it's going to be
different than that because today we're
going to be talking about is developing
for a managed client environment for Kim
okay so today what we're going to be
talking about is developing for Mac os10
managed desktop Mac OS 10 is a managed
environment and we're going to be
discussing in a variety of ways how it
is a managed environment ostensibly what
we did when we were here last year's we
introduced you to the concept of apple
desktop management and it's a year later
we've got a year's worth of software
under our belt we've got we've got
customers who are actually utilizing the
product and have been giving us feedback
we've got developers here who are
developing products to work in that
environment so we'll be discussing you
know where we are where we where we are
today where we've come from and what it
is you guys need to do and to learn to
provide solutions and to customize your
environment to work better in this in
this environment so we're going to be
talking about a managed environment so
I'd like to turn the Wayback Machine
back take us back in history five years
back before there was a Mac os10 and
what we had then was the mac OS mac OS 9
mac OS 8 and that was an unmanaged
computer you plugged it in you you
booted you came up to the finder you
could do whatever you want whenever you
wanted you got up and walked away from
your machine somebody could sit down
behind you do whatever they want
whenever they wanted you had no way of
controlling that environment at all to
do that to do any sort of control at all
you had to get additional software Apple
provided you additional software was
called Macintosh manager Macintosh
manager gave you the notions of having
multiple users use a particular machine
putting access control which
applications could be access which
preachers could they use a variety of
things you needed a server to be able to
do that but you started getting the
notion of managing the computer well Mac
os10 comes along
let's fast forward to the present Mac
os10 comes along and out of the box it's
a managed environment if I go home today
and open up a brand-new computer and
boot it up turn on Mac buddy install the
software pick my admin account get up
and running I auto login turn on fast
login so I just come up I never see a
login screen the user thinks that
they're not managed but they are there
are some things that I cannot do as that
administration user that only a super
user can do so right out of the box
there are at least two users of the
system and I am NOT by default the
superuser so just right out of the box
where we've got a management we put
people into a home directory they get a
home directory for free even on a local
machine so even without any apple
desktop management at all you are
managed taking taking that one step
further then I start adding users again
if we're just even in a local
environment so at home I have user
accounts for my wife for my children I
don't have any server involved none of
them I have no managed preferences which
is what our group primarily does I've
never run a workgroup manager I still
have a management bar I don't have
access to the data in my kids home
directory unless I go in as a super user
so we'll be discussing a little bit that
as we just have and we're also going to
be discussing some of the customer usage
scenarios that we've seen what I just
discussed briefly was just a normal
setup where I have a single machine with
just multiple user accounts that's a
managed environment will be talking
about what Apple's desktop management
solution is what it is what it isn't
tell you i'll be talking briefly a
little bit about what we've learned so
it's been a year people are starting to
if you if you went to michael ops
session yesterday on on the desk
Solutions you talked about deployment
access and assessing the deployment and
rolling out well people have been been
rolling out starting to roll out
solutions and for those of you how many
here are working an IT department or
working IT okay how many of you are
application developers okay so we've got
looks like it's about 70 30 70
applications developers thirty percent
IT so so with AIT uit folks you know
that you test out a deployment before
you roll it out to your customers or or
disaster will have an animal in most
cases so what happens is as you're
deploying that you find the glitches and
the Duchess and and you've been giving
us feedback on some of those
implementations and we've taken those to
heart so we'll be discussing some of
those and where we're going to be taking
apple desktop management going forward
I'll be showing you a little bit about
what's new and 10 dot 3 which will be
coming out soon and what it is you
seventy percent of the people in here
what it is you're going to need to do to
work in that environment things you're
going to need to to pay attention to and
really what you're going to need to do
going forward so let's jump over to our
customer usage model because this is the
way we think about what we think about
when we're developing software at least
in my organization we try and identify
who our critical customers are some of
you are in this room if you're not on
this screen no no come talk to me after
the session and we'll start paying
attention to what your usage scenario is
but what we do is we look at various
customer scenarios and try and gear our
software in the solution that we're
developing to meet one of these customer
scenarios so the first one we have is a
one-to-one deployment what do I mean by
that that's a scenario whereby I hand
you a powerbook I own the powerbook you
don't own the powerbook i have given you
an account on that powerbook let's say
it's employee you do not have superuser
access to that machine you don't even
have admin access to that machine I put
everything on that machine that you
could possibly want to use that I can
think of but can you add new software to
it not if it requires admin access to do
that you would have to give it back to
me to install new software on it but
it's my physical machine I give it to
you you can add bookmarks you can do
whatever you can do as a user you have
physical access to the machine but you
don't have admin access and one of the
one of our significant customers of this
is the school where schools will hand
out CPUs on a temporary on a long-term
basis so owned by the school system and
it's given to a student it's got a
student to count on it student it's just
a free free form powerbook goes wherever
they go you can also be a desktop you
said this is your desktop machine here's
your cubicle here's you have an account
on that machine I've set it up it may be
network that may not be networked but
there you go but you don't have admin
access to the machine then there's a
full-blown IT deployment where I've got
server in the back i may have big iron
behind the server in the back room
you've got network accounts i have site
license software that i have in numbers
of seats that each individual can use so
i control which printers you can have
access to which applications you can
have access to how much data storage you
have on my servers what servers you have
access to what your user name is what
your password is how often you have to
change your password along your password
needs to be what sites you can access
what you can access I control all that
you see in here so in that particular
case mostly the people have network
accounts so that's real useful but that
in and of itself and we tried to solve
some of this can create problems usually
not for a big IT place but I was it was
in the session yesterday we're we're
talking about where you user got up and
spoke at the
book at the podium at the microphone and
he was saying we still have 10 base-t
we're still deployed on top of 10 base-t
well so if I have all my network storage
and it's all happening over 10 base-t
now with significant amounts of data
flowing around and lots of people using
my 10 base-t network even just doing
browsing you can definitely run in two
run into into bottlenecks so downloading
some of that stuff off of the net is
something which we've attempted to try
and solve the other thing is the
scenario that I alluded to it in the
beginning where you have you know it's
an at-home kind of setting though though
I know that some of you out there are
deploying capabilities as an IT solution
as well this is primarily geared towards
a small or very small number usage and
that's the capabilities however the
capabilities scenario which allows you
to control media so johnny can burn a CD
Johnny can't burn a CD but I can and
what applications Johnny can use I don't
want Johnny musing the terminal those
kinds of things it's primarily for
application access control and media
access control and it's in a small small
environment but the mechanism for doing
that is the same mechanism as what what
is used in a big system we don't have a
separate means for funneling that kind
of data down to the system we use the
same mechanism for capabilities as we do
for a full managed environment and
ninety then we get the mobile user and
the mobile user is a little bit
different from the one to one deployment
I was talking about in this case I gave
you the computer you have a network
account you have this computer you sit
down you connect up to the network and
you login your login with a username and
password and then you unplug that on the
network and you home you take it on the
road with you and I control I kept some
medium of control but maybe not as much
I may have getting say that you can
access the CD or not but it's in a mixed
environment and there are others and you
know and we want to hear what those
others are now we really want to get a
feeling for how it is the two people are
using the product because if you the
clear the feedback you give us the
better the product we can deliver to you
so so what is it that we're talking
about here Apple managed desktop so
Apple managed desktop is a mechanism for
managing resources and what is that well
that's people well so I manage people by
managing user lists by managing
passwords and passwords policies it's
managing equipment settings and there's
some new ones that we're managing it's
you know just computer turn off at ten
o'clock at night you know does do I have
screensavers come on not screen savers
but do I have you know visit does the
monitor dim automatically do you have
access to these kinds of applications
applications or resources so how do we
do that as we do that through workgroup
manager primarily capabilities is
handled through the system in a small
kind of environment but what you have is
you have your personal environment where
you have your accounts right and if you
move from accounts on a local level for
a system you move to work group manager
work group managers basically is a
bigger accounts management paint with
lots of lots more options because you
have watch more that you can control but
what is work group manager workgroup
manager is primarily a directory editor
it edits data that sits in a directory
and that's going to become much clearer
to you all in with panther because for
me excuse me for me a key feature of
workgroup manager in Panther is the
inspector what that gives me is that
gives me the ability to go in and edit
my directory raw now that's a lot of
power and there's not a lot of sanity
checking that happens when
that goes on so you know buyer beware
user beware in this particular situation
what we do in my group which handles
primarily handles the preference setting
and as we look into workgroup manager
you'll see and we'll be dealing a lot
with the preference setting is we take
those preferences and we put them into a
into an xml into an xml format and we
store those in the directory structure
we really don't and then when a user
logs in we go out to the server based on
what machine the users logging in on who
the user is what groups they're they're
part of or have chosen to be part of for
this particular session and we get that
xml data out of the directory we
unionize it or munge it put it down to
the local system and that sets what
their preferences are we also do on
volume mounting as part of the the
programmatic process that happens we
also pass information off to the system
so that if you have applications that
need to launch or those kinds of things
we set those preferences so that other
system services can take advantage of
those but we really don't do a lot of
actions other than other than that we
are not access control lists though we
do allow for for permissions and
preferences and things like that we're
not setting up access control lists so
we have a managed environment the top of
the managed environment chain for us is
users the first thing you do is you set
up users and you set them up usually
with home directories not always because
I can set up a series of users and they
don't have home directories maybe
they're all ftp users in that case their
manage their manage to ftp users they
don't have they're not going to be
accessing this particular device and so
they don't have home directories
in those home directors we store
preferences so again a bunch is changed
with panther and the things that you as
developers and you as IT folks really
need to pay attention to and that is
today with Jaguar I sit down and I login
as me and until I log out on the only
one using the machine for the most part
now I know people can ssh in people can
ftp in that people can do a bunch of
stuff but as far as accessing
freestanding native mac OS 10 you know
GUI applications i'm the only one that's
doing any of that while i have that
session going alright so i have full
access to the keyboard the mouse the
monitor I control all that I see in in
here primarily well now we have fast
user switching so that I can get up for
my my desk go to lunch or I can be in a
lab and be sitting there and accessing
it and then my lab partner can switch
over to their account so now you have
two people logged into the machine at
the same time and application developer
me puts all those things in a global
space or with an absolute path well user
to can access the data that user one is
accessing because i'ma got it open and
running so those are some of the things
that you really need to be thinking
about when you're developing solutions
or when you're testing out your products
don't require specific folders now last
year when I was given this this kind of
presentation I had a whole scenario
where i showed a demo on Iran FS usage
on a bunch of applications and showed us
some applications were being bad and
they were doing lots of i/o and vaio
over the network it's bad I tried to
look for some applications that were
doing some bad things so early
iterations of some people software if
you didn't have a specific folder with a
specific name the application would
crash
now if you want a specific folder some
of these applications they will create a
new application with that particular
folder but our customers like to
customize customers customized and don't
require them to have a specific folder
don't you know my app folder so you
provide an application and it has to
have these don't use specific folder
names use relative needs were possible
allow for one installation / cpu but
don't require don't disallow multiple
users from accessing that particular
application this is you know that the
fast user switching scenario you can't
be sure that only one person is going to
be trying to run your run your
application may be multiple users the
machine also assume that your
application will be accessed over the
network so why is that well that's for a
couple of reasons I I do some beta
testing for some from Mac OS 10
applications which I can't talk about
because they're still in beta and one of
the first bugs I wrote on these
applications was I logged in using my
network user ID which is out on the
network and I tried to run the
application that crashed it didn't like
me not running locally it also didn't
like me not running as admin which is a
totally awful different scenario so so
they're two different things one assume
that if I'm doing I Oh for example if
I'm writing out to a cash or I'm storing
files in temporary folders that are
stored out on the network you have to
assume that we're we're that users home
directory is could be out of the network
and that if it's out over the network
where we ran into here this morning is
there's a really big Airport
configuration here for all you guys to
have airport access that can get really
busy and if I'm booting or running it
multiple applications all of them over
work and all of this data in my and
various Network home directories it
might not be the fastest airport
implementation in a lot of cases we have
Airport solutions that we've showed the
schools and they haven't updated to the
new new faster airports so they're
accessing their network folders /
airport with 30 40 people connecting
through the same Airport base station at
the same time and the performance goes
into the toilet so you as developers
need to take that into consideration
when you're writing your applications
also don't require the users to run your
applications if your developers out
there to be to have admin access as we
get back to you as I get back to the
usage scenario most of our users aren't
running is that most of them are running
as network users and some percentage of
them know an admin password for their
machine but a large number of customers
do not and some subset of customers one
customer to customers might be forty
thousand users where none of those
40,000 users know their admin password
so use our product to test your product
use the capabilities services to test
your product to test our product test
your products your sees me workgroup
manager what is work group manager
workgroup manager is a way to manage
system level preferences how many of you
have used worker manager here on Jaguar
we people in room user for manager okay
so about 20 25 percent so for those of
you who have not where crew manager
allows you to set preferences into three
and three separate categories and will
i'll be showing your work with manager
demo here in a bit now go into a little
bit more because of 75 percent if you
haven't used it basically we have the
notion of three different groupings we
have users which i think what you're all
familiar with we have groups which are
sort of all familiar with you that the
users are part of groups
and you're familiar with that and then
we have computer lists so basically what
what happens is when the machine boots
up it is bound to in most cases are in a
lot of cases it's bound to some
directory in the network so it gets
network services available to it is
bound to some directory and the machine
will go to that directory and find out
whether or not it knows about me on the
computer doesn't know about me am I in
its list yes or no if I am are there any
preferences associated with me my
specific device there may or may not be
if there's not if i'm not in a list of
the known computers does the binding
handle guest computers so anybody who
comes and plugs in the machine so and
what preferences are associated with
that maybe i require everybody logs into
my network to have a list log in things
like that will show you some of that
when we get into showing your work or
manager then it puts up the user list
you get a loser you stand get to pick
what user I want to log in as once I've
logged in as that you then I get to pick
what group the user might be a member of
multiple groups and I can set
preferences at each of those levels and
we'll show you how we do that workgroup
manager also sets nan and then that's
the mcx data those for system-level
preferences and well as we'll see it
also sets up non mcx data that's this is
work group managers where I go and I add
users and I I add home directories I ad
group volumes that are that are
accessible to them and I set up
parameters and policies for those users
this user has a home they have 5k as
storage in it because I don't have I
have thousands and thousands of users
using this particular machine and I
don't want them to have a lot of network
storage 5 case really small but let's
say five Meg or 100 mage or something
something small so
I'm already managing those users by
telling them this is how much how much
storage you have on my network devices
the other thing to remember with worker
managers it's directory centric so I can
set this thing up in a directory I can
configure users and those users could
have home directories on a totally
different set of machines set up and
work group manager where those home
directors are does not need to be on the
machine that is holding for information
so work group managers a directory
centric it's not a server centric
configuration again take the Wayback
Machine back five years ago and what we
were dealing with was Apple share an
apple sure I pee where your user list
was specific to a specific machine what
we do when we move into a directory
centric model is I can you have the same
username and password and have that be
accessible in multiple different arenas
so what's new for 10 dot 3 well there's
a couple of things and the first one
that you see up there mobile accounts is
something I'm really happy with its to
solve a customer problem and we'll get
to one of our usage scenarios and that
usage scenario is the mobile environment
I give you again thank you very much for
volunteering I give you this power book
and you have a network ID because you're
an employee for me so you have a network
ID you have a network account where I
gave you so much data storage on my
server and you can log in when you log
in you log in with your network ID your
username and password and you're sitting
at your desk top with your powerbook and
everything's fine you unplug that
powerbook from the network and you go
home you go on the road you try and log
in using your network ID and you can't
because there's no network user on that
local device so what do you do I've
given you admin access to that
particular machine so you can do some
stuff I'm you know I'm the nice guy and
you've got
ola machine so you create a local user
with your first name only and you do
your work because I put all the
applications that you really need to put
them all locally so you do your work you
come back in you connect up to the
network you type in your network
username and password and you logged in
as your network user you now don't have
readwrite access to the to your original
documents that she's just been spending
all this time working on so log out log
back in as my local user with your first
name well mount the directory but now I
don't have readwrite access to my
network home directory what am I going
to do haha you're going to use mobile
accounts mobile accounts what that will
allow you to do is eyes an administrator
to know what you're going to be doing so
I say for you you have the ability to
set up a local account with the same
name and password and to the system it
looks like the same user so you have the
same permissions the same group access
the same user ID all that's the same I
unplugged that machine i take it home
and take it on the road i type in the
same username and password i get the
same password policy everything is
everything is the same i plug it back
into the network now what this won't do
this is just account creation at this
particular juncture this is a
transitionary solution what we will do
for you and we will allow you to do is
we will mount your network home
directory on your desktop when it's
available so that I do my work and I
want to copy the stuff up to my data
storage on the network let's say I only
have 100 Meg data stored well that's
fine for my documents the documents that
have changed my spreadsheet maybe or
this and that nothing I can copy them up
I don't have to worry about permissions
I not to worry about any of that stuff
we don't do that for you we will mount
the volume for you but we won't do the
copying for you we will put the
documents folder your doc
again for easy transferring of data so
you'll have a network account documents
folder will be there your network
account home directory will be in your
desktop if you if you want it and you
asked me to set that up for you we don't
set up the synchronization our utilities
our sink and some other utilities and
we're providing the the OS is providing
utilities going forward that will allow
those kinds of things to happen but for
doing file copying and access we don't
do that so if I go home and I connect up
to a hundred different browser sites
right and I Adam bookmarks and then I
want to log in at work on my desktop
with the same user ID I'm not going to
get those unless I copied them in which
case then I will so very excited about
that I think I think that'll be a real
plus make it a lot easier for people to
work and I know it'll make a lot easier
for me to work additional login window
options in new and Mac OS 10.3 we have
auto log out I use this now i set mine
for 45 minutes I get up I go to lunch
and when I come back in I'm sitting at
the login screen I'm not sitting at the
screen saver I may be at a screen saver
depending on how I've configured that
but I'm but I've actually logged out so
auto log out and the ability to to
manage that again we have fast user
switching way and we've given you the
ability to manage that we've given you
the ability to turn that off and on
because what you may want is you may
want to have fast user switching on on
most of the machines in your lab except
for that special one on the back which
has a new video card or something else
we've also and its people talk to me
about this yesterday it is another
session just because they saw who I was
or remembered me from from past years
and that is the ability to mount
additional share points so you can it's
not just week what we currently have
today is if you if you're a member of a
group you can mount a group sharepoint
and that's good because you know sort of
workflow oriented but this gives you the
ability to mount additional ones because
people are saying well yeah I want I'm
going to be able to mount a group one
but I also want them to be on them on
the documents one and I also memo on a
pictures one and things that are going
to be global to a whole bunch of people
that may be across groups sorda mean
ability to do that universal access
these are things to it to handle a lot
of special EDS needs and the other thing
and this comes up with with where we've
been hopefully listening to you guys and
that is for application access currently
in Jaguar today we have an allow list
allow the users to access these
applications well that's good but not
great and why isn't that great well
because you all as developers may find
and have found that at times to solve a
particular engineering need it's easier
and faster to just write a UNIX utility
that your main application then call it
munge some data in the background for
you you fork off some data to it or you
pipe some data over here and those
applications or those little utilities
aren't visible to the system in the same
way as your full-blown application is
they actually don't appearing
differently to the OS as a text file in
some cases ilderim it though there are
there file differences and extension
differences but you know if I go to open
the file it's just going to look like a
bunch of text data you know in a lot of
cases so the ability for us in a user
interface to show everything that
possibly could be an executable would be
a very big long list so we only
displayed applications so what might
happen is I allow you to run your
application I'll use Photoshop for an
example and let's say you're differing
utility is a unix based tool I didn't
give my user didn't allow my user the
ability to launch that dithering tool so
guess what's going to happen when they
try to dither the image it isn't going
to work because they don't have access
to be able to do that so what we've
given you is the ability to say well
allow UNIX level tools to execute we've
all
so given you the ability to have a
denialist and what we found is that what
people really want to have happen what
our customers really want is they don't
want the students to run itunes at
school so camera in itunes you can't run
the terminal you can't run the console
you can't run this you can't run that
all the things that they can easily pick
we just tell them you can't run those
and so we've added a denialist and we
think that with these particular
different groupings we've given you a
lot more flexibility for 4 10 2 3 so now
what I'd like to do is I'd like to show
you a demo workgroup manager here on
demo one so what we have here is
something which is probably familiar to
all of you we've got a little bit of a
few things that are different a little
bit different look and feel but
ostensibly this is where we this is
where everybody usually starts out and I
I'm in here and I want to create a new
user and I'll create my new user WWDC
give them a password i can i'll give
them you know what level i want them to
have I can have them the administrate
the server I can have them administrate
a domain there is no domain setup in
this particular machine so that's not
active the ability to log in or not so
I'm already starting to to layer some
management here depending on whether or
not they can administer them minister
the directory domain I can give them
granularity for that again i can't get
get to that particular one because
because we're not administering a domain
here then we have let me say that so we
have now a new user we have a variety of
different of different options so we can
set for that user we can set their
password policy we can set what their
shell is we can assign them to groups
and we'll get to that a little bit we
can also again since this is a this is
freestanding there's another button
which pops up when it's not free
standing and that is that is a network
button where I can select say they have
a network home directory but I'll go
here under
vance and basically what i can point to
here is now so um about comp so you know
i basically i point them to my server
this can be a server that served up over
some other mechanism it doesn't have to
be served over a FB I give them a path
and their home I can set what their I
could give them five kilobytes worth of
data storage that probably wouldn't be
really useful I get set their storage in
this particular environment so let's
revert to them I can say that they don't
have any home again that's a management
choice right there and all I'm doing is
I'm setting up a user account so what
I'm trying to get the notion to is is
you don't have to have managed system
preference data to be a managed user I
could set up mail preferences print
preferences preferences if they want to
have windows access those types of
things then I get into I can have groups
I can create a new group WWDC group and
for those of you who who use workgroup
manager everyday or frequently this is
this pretty old stuff we also have a
group folder here I can designate what
this particular group folder is and you
know how its configured and where it is
it doesn't necessarily need to be on the
same server but I can set that up here I
can designate it you know a full path in
the advanced mode I can add users to
this add users to then that's real easy
so adding and deleting users in this
particular environment is
these committees in that about serving
and I can't do the other portions of
that and i also have a notion of
Thanks of computer lists what you see
here is you see two things you see
computer list and Windows computers as
basic starts I can also add groupings of
computers and I can do a bunch of things
I can i can set the access for these now
so this gets into an interesting kind of
scenario whereby I can have a user that
can authenticate as who they are they
really are who they are they typed in
their username and password but I don't
allow them to use that that computer in
the back of the lab that I'd savor my
specially guys they're not allowed to
use that computer or this servers I got
a bank of service only admin users can
use can log onto these servers I don't
want any you know Joe Blow to be able to
lock it login locally to log into these
servers so I can set that those kinds of
things up here too then you have a
notion of a cache and this gets more
into the into our managed client mcx
data environment and that is for for the
sake of speed and to cut down on the
network traffic and to optimize for that
as much as possible we keep a local
cache of the data that you set here so
when a particular user logs in we copy
that date some of that data down the mcx
data some of that other data when you're
creating mobile accounts we actually
create a copy of the directory structure
so that they've got the same set of
groups the same user and a loser list
that kind of thing and since the cash
aging here so what we've got here is
under switch to guest computers and I'm
switch over here to preferences man as
you see we've got we've got a variety of
different preferences that you can you
can set here from from applications
to padlock I have nothing to give it
thanks
I came to find a guest worker because
I'm local did I did idea
Thanks okay here we go good save that
and then I want to go in under 1 and
define those and I still don't there we
go I could say which applications so
what we have here is this is the option
that we have which allows unix tools to
run I can toggle ad off and on basically
that allows you know any sort of UNIX
tools if it's if it's to execute you're
just going to access applications on
local volumes a lot of times what you
want to be able to do is you want to say
well I don't want them running the
network versions of these you want them
to run them locally and allow
applications to run non-approved
applications and this is an ease of use
or needs of facilitating the user's
ability to use the machine but it gives
people the ability to eat fairly easily
depending on what applications you give
them launch any number of non approved
applications but then you have this you
can launch any all applications except
these and I so I can come in and I can
say remove Activity Monitor address book
I want to be able to do that remove ard
agent because I want to be able to
access the machine remove classic colors
tanks don't remove console so I can go
through and I can remove applications
with direct no I don't want the max s
directory access the meter and you can
set basically you can set what what
applications that they cannot access so
that's where Burke
in the doc we've added a couple of
things to the doc in the doc we've added
the ability to mount a documents folder
shared folder my Applications folder
group volumes for groups since this is
computers are owner group I'm so on the
network home this gets to the mobile
account scenario that i was talking
about i want to be able to to mount your
network home as them as a SharePoint on
the desktop you can also add documents
and folders and these can be documents
or and/or volumes that are on that are
individual separate vines and you can
configure what the doc is going to look
like then you have doc display some of
this was showed yesterday basically it
says the doc laughs doc right all most
of the doc particular doc items don't
let's not save that energy saver was in
and is in is in Jaguar you have a
variety of different energy saver
options finder what's new and find your
when you and finder the commands we've
separated out the restart and shutdown
command again at the request of some
users who wanted to be able to say you
can tell the machine to restart but you
can't because something might happen you
may want to restart the machine but you
don't have to shut down or vice versa
you can shut it down but you can't
restart it we split out system
preferences in the past we had
application access and yet system
preferences was just a separate tab
there people wanted those separately
because they manage the ability to
access system preferences differently
than they do applications basically they
don't want people here to set the screen
saver or change the sound volume those
kinds of things so we allow them to
manage system preferences you can show
none and then I can go in and pick
printing in facts and QuickTime only and
I comply that so now the only thing
they're going to be shown for a guest
computers are quick time and print and
fax because that's the only thing I want
them to do
mobile accounts mobile accounts is now I
click here on what on always just
because bug standpoint but since I'm not
going to but for the most part this
would probably be best done as a once
preference and what's the difference
here because we have preferences handled
in a couple of different ways once is
like your initial setting so if I come
in and I want my initial setting on my
my doc items to be these things these
five settings I want you know here's an
intro to the school year or an intro to
my business I want that right in the doc
and I want a whole bunch other things
and I so I want when the user comes in
at the beginning of some particular
session or if I just rolled out a new a
new IT solution for example well I want
the help file for this new new process
to be handled aureus it's time for them
to pick a new health plan so I'm going
to put down in a set once setting i'm
going to put down here's a URL to the
health plan in my doc and that's once
and then they can change that and it
won't ever show up again but if I want
something to go back and every time they
log in to be reset then I would choose
always well so shop creating a mobile
account I don't want to create this
local mobile account every time I will
again so I probably want to do that for
the first time the user logs in they get
this preference and I they want to be
able I want to give them the option to
create an account locally that maps to
their network account so this is an
example of when once probably would be
most useful however you might want to do
that always because the user might be
deleting their mobile account on a
regular basis it may actually just be
being used as temporary storage so i may
create a mobile account on a powerbook
turn the computer in at the end of the
day i delete all the users on that
computer next time that user logs in I
wanted to create another another another
accountable to the machine so there
there's uses for always save that to
universal access is new basically this
tries to mirror the universal access in
system and then the other one we have
here internet let's talk about that for
a second so and this brings up an
interesting point that I wanted to get
to so we do not manage everything in the
system from a system preference
standpoint from from managed desktop we
don't manage everything and we don't
manage everything in the same place why
do we do that well if you look at
Panther there is no internet system
preference anymore and in the internet
system preference there was what is now
in the dot Mac system preference well in
Jaguar and the system preferences we had
email and we had web so oh my lord so
with email and web those things aren't
managed in panther anymore they're
managing an application level but for a
Jaguar clients are still managed so
that's why these are here and we also
believe that they're good to be managed
anyway but we don't manage the the idisk
ones so because we're running out of
time here I want to show you something
which i think is really cool and that is
the inspector okay so we have the
inspector and ostensibly I'll come over
here to users i'll pick wwc and i click
on the inspector and I've got WWDC
oh sorry come now go to inspector let me
WC and here I have everything that's
associated here you can see the
passwords this is standard standard
password is not using passwords server I
have no as just notice here I have no
data here for mcx data at all so I click
over here under computer list and i
click on inspector here you'll see oops
one second counts
you don't see any mcx data I thought I
say that didn't do it under users let me
go in here and create them
users can use all applications accept
these oh now got to excuse me the demo
that I had set up here on this
particular hard drive would not boot on
this particular machine so we're running
running without a server setting behind
me with all of this configured and now I
will come two counts users BWC and there
we have our mcx data why am i showing
you this I'm showing you this for one
reason we spit to switch back to the
slides I'm going on that's worker
manager we're going to come back to work
ramanujan here for a second because
there's a really neat thing as you can
do with the inspector that that i want
to show you before we leave so what have
we learned for mac OS manage client mac
OS 10 so we've learned that mac OS 10 is
a managed environment we've got most
from user accounts to file access to
application settings excuse me to system
level settings we're going to show you
application level settings here in a
minute it's in shipping since Jaguar
workgroup managers been partners part of
part of the Jaguar 10 server it can be
running on a Jaguar machine people are
just beginning the IP folks are just
beginning to deploy this they've been
evaluating it and are now rolling out
solutions we're getting the feedback
from you all we're getting the feedback
that we did with a denialist that we're
adding to panther those kinds of things
the gutters that you've run into a
preference preference storage we want
you to do a couple of things for for
preference storage and that is wherever
possible we want you to cache files
locally where possible and this it's a
little bit schizophrenic here because I
also want you to associate these things
with the user records because more than
one user can be accessing the machine
and I don't want you to have a global
data floating around
but I want you to try and prevent
wherever possible for rent network
bottlenecks and basically what that does
is I mentioned you trying to optimize
your your IO as much as possible so that
you're not doing a lot of small reads
and writes because a ton of small region
rights spread across a whole bunch of
folks all funneled through you know one
switch we're all funneled into one
ethernet port of the back of one server
can really can really slow slow our
users down multiple user environments
are a factor that you have to pay
attention to so as I mentioned before by
paying attention and one of the things
that we did was we added you deny lists
for users you restrict user access and
hopefully that will prevent the errors
from happening and potentially the hangs
from happening when not all of the
utilities that you use to provide your
solutions are available for the users
users are accessing or accessing their
home directories over airport is this
the optimum solution and was this the
design implementation that we thought
about when we're doing home directory
implementations no this is what the
users are doing yes so you need to take
that in mind when you're developing your
solutions or you're providing your
applications is that they're doing I owe
to their network home directory it may
not be disk i/o speeds and users want
their application preferences to be
manageable as well so what I'm going to
be showing you here is we switch back to
this demo machine is what we have here
is a list of the mcx data that's stored
and as you notice here this is the
inspector editor here you have the XML
and we've got application access that's
the key things are forced
we have where we set it application
access preferences so what I'm going to
be doing here is let me cancel out of
this go back here to this application
access click on hand click on
preferences and i'm going to set an
internet preference web always I want my
homepage to be let me the apple com and
default web browser to be Safari shut
that see if I got so far right here ok
so I'm setting my default thing and I'll
apply that so that's good now I've set
my default web page here Safari actually
is one of the applications which uses
this internet settings and so now people
will go to wwm well that's all well and
good but but I want more so what I'm
going to do here is I'm going to go
under my applications and I'm going to
open up safari and I'm going to this
should be interesting to the IC folks I
may not be interesting at all do you do
application developers out here with a
possible exception of if you do this
with your preferences your customers are
going to be able to do this with our
product so we're going to look at your
preferences oh look hmm the homepage
here too well let me do HTTP
[Music]
let me set it here and let me say Oh
open save files after downloading I
don't want them there could be a virus
in all of those files so I'm going to
change that I don't want to do that and
that looks good bookmarks yeah that
looks good too I want them to enable cab
browsing new tabs will set that autofill
may security I want to block popup
windows yeah i'm sure i want to say that
okay so i just set up the preferences
for this application by myself so now
i'm going to quit this application and
i'm going to go under my home
and I'm going to open the shop with
there's a plist editor I didn't want to
open up a post editor let me quickly
list editor
preferences safari I am going to take
these I'm going to copy this paste it
into a new file save that file as safari
press put it in my arm directly go back
here under what curb manager to save
now we're going to edit these
preferences here so what I've got here
is I've got application keys and a lot
on application keys and here we have
apple down internet com so I am going to
change this to Safari
and paste that in there and now I've
just pasted in so I was able to connect
up to the other server basically what
i've done is i have now added Safari
preferences to this particular users
system preference its preferences so
when a log in and they mount launch
Safari they're going to get those same
preferences I could do that to a group
of users I could do that to a computer
list any preferences I can set in an
application that are stored and see of
preferences using the inspector with
workgroup manager you can copy and paste
those preferences into their mcx date
when that user or group logs in that
data will get composited and put in
there plist file for safari in their
home directory and they will get those
preferences too so we're giving you a
lot of very powerful pools with
workgroup manager going forward and and
we don't do any sanity checking here if
I pasted this in on the wrong place
offset that dictionary by one those
preferences might not have launched so
it would have be moved me to make a copy
of those preferences first save those
out so I'd have been able to restore
should it not work and it also behoove
me to test out those implementations
first but this allows you to go into any
application that stores the bulk of its
preferences in insya preferences and to
be able to edit those preferences with a
text editor with any editor of your
choice back to the slides so what are
the development guidelines these are the
things we want you to think about your
product will be used in a managed
environment so test with our product you
should have been given a CD with the
server software on it so so install the
service offer run this software locally
run this stuff locally it considered on
a machine and run all these preferences
locally for local users or you'd set up
a server so you're actually doing
traffic over the network and you'd be
run into the problems you can you can
debug demeanor network environment run
capabilities in the version of Panther
that we got the capability stuff has a
big not yet implemented on
but it will be implemented w other seeds
coming up run capabilities the
capabilities default because we're
addressing a different market segments
with our capabilities but our the
workgroup manager product might be
different so it would behoove you as a
Bella pers to check those up assume that
your applications will be controlled in
some fashion so if you have helper
applications please call those out in
your documentation if they're really
full-blown applications so if let's say
I have a chart application that that
puts up a pretty graph based on the data
in my in my application and that's a
real application that i that i right
it's you know bundled Coco app for
example you know put that in the
documentation so if a user is doing it
allow list they can they can pick all
the applications that are very useable
minimize wherever possible the use of
the unbundled applications because some
users some IT folks might see allow UNIX
tools and get scared and not want people
to use those and if you have some
utility or some scripts that you that
you go and execute as part of your
solution those won't be runnable because
we will say that the administrator is
the king the administrators set
something up in a particular way we will
try and enforce that if it says don't
give access to this particular
application of these particular sets of
applications we won't and assume that
your product will be used on the network
so try and optimize your i/o wherever
possible wherever possible don't assume
that the configuration that you test
within your office will be the
configuration that the user has in
theirs so try not that hard code file
path names you see if preferences again
you just notice me how easy it was for
me to cut and paste those system
preferences up from Safari 22 mcx and
put it into the mcx data it's the same
data rolling your own preference
management might not work well in the
future there are no guarantees but if
you see if preferences going forward
we'll still be able to manage that
so just to close up and to wrap this
wrap this up Mac os10 is a managed
environment you guys are IT guys you
already know that application developers
I want to thank you very much when I was
seeing putting together this particular
presentation last year I had I showed
three applications that were bad and I
showed how their behavior with bed and
there wasn't there were some apple
applications too and you know I really
thought that there I would it would
still be really easy to find bad
applications and I went and checked a
lot of your applications out there and
you guys listen thank you very much
you're not doing a lot of the things
which preclude you from running in this
environment and keep up the good work I
didn't show any bad applications out
there because I can find any and what I
found was things like Safari things like
you know other applications that are
storing their preferences and see if
preferences not all of you are but a
good portion of you are and in
dictionary formats that are easily
transferable for our IT users out there
not all of them are but a good majority
of them are so thank you very much and
talk to me about what your customers are
seeing and what your customers are
needing so who to contact myself Michael
Locke who gave the over overview of this
particular stuff skip 11th your techno
your technology evangelist and the
session we had they had the session
yesterday so I don't know that we have
any following sessions